June 5, 2024 at 07:01AM
RansomHub, a new ransomware strain, has been identified as a rebranded version of Knight ransomware. It employs double extortion tactics and targets various platforms, using phishing campaigns for distribution. The group behind it has been linked to recent attacks and is recruiting affiliates. Ransomware activity has been on the rise, with increasing code reuse and legitimate tool utilization.
From the meeting notes, here are the key takeaways:
– RansomHub is a rebranded version of Knight ransomware, which was an evolution of Cyclops ransomware.
– RansomHub has been linked to recent ransomware attacks, including those on Change Healthcare, Christie’s, and Frontier Communications.
– The source code for Knight ransomware was put up for sale in late February 2024, indicating a potential change in the operation.
– Symantec reported significant code overlap between Knight and RansomHub, making differentiation difficult.
– RansomHub leverages known security flaws like ZeroLogon for initial access and drops remote desktop software prior to ransomware deployment.
– RansomHub has been linked to 26 confirmed attacks in April 2024 and is attempting to recruit affiliates impacted by recent shutdowns or exit scams.
– There has been a rebound in ransomware attacks, with new variants like BlackSuit, Fog, and ShrinkLocker emerging.
– ShrinkLocker utilizes VBScript to take advantage of Microsoft’s BitLocker utility for unauthorized file encryption, targeting countries such as Mexico, Indonesia, and Jordan.
These takeaways provide a comprehensive understanding of the RansomHub ransomware and its impact on recent cyber incidents.